Thursday, June 11, 2009

China Votes For Endpoint Security

The green what? The full name is even weirder - The Green Dam Youth Escort. It's a piece of filtering software the Chinese government is requiring to be shipped with all computers as part of its "anti-vulgarity" campaign.

China has been keeping a tight grip on the Internet for a long time. But the Green Dam project marks the country's first widespread attempt to control activity from the actual computer itself. No longer content to just monitor and block network traffic, China's maneouver is a surprising declaration of faith in the importance of endpoint security. Cloud advocates tell us that the endpoint matters less and less, but the world's most populous country seems to be moving in a different direction.

Before we draw too many conclusions, its worth noting that so far the system is not working too well. The Green Dam suffers from the same problems inherent in any massive effort to control the endpoint (kind of a mega FISMA with actual client side software). For one, there are obvious security and performance concerns involved in such a mammoth roll-out. Global Voices has an interesting translation of Chinese language posts about the problems ordinary Chinese are experiencing with the software.

So it's easy to dismiss the Green Dam Youth Escort as a futile project with a really dumb name. But people who mocked China's early efforts to control the Internet as doomed to failure have largely been proven wrong. Despite the apparent ease of circumventing the "Great Firewall", China has been largely successful at controlling and monitoring great portions of its Internet traffic.

The Chinese government has not released many details on the planned scope and implementation of the Green Dam system. There are certainly early indications that the planned Green Dam filtering extends beyond adult material to include political terms as well. It is also unclear whether there will one day be a NAC-type system in which only devices with an approved Green Dam agent are able to connect to the Internet. So far the only government requirement seems to be that the Green Dam software simply ship with the product. But it's hard to imagine that the government intends to rely on voluntary compliance after mandating the software distribution.

The Politburo Votes for Securing the Endpoint

China clearly sees value in controlling the endpoint. While other countries have relied strictly on network methods to control illegal content (such as Australia's recent flirtation with net filtering technology), the Green Dam project marks to my knowledge the first - and undoubtedly the largest - attempt to control content from the actual endpoint.

This is not a political blog so I don't want to get into the very dicey ethical question of whether hardware manufacturers should follow network and service providers in aquiescing to the Chinese government's demands (some justify their compliance by arguing that even a censored Internet ultimately promotes democracy). But aside from the significant human rights issues involved, it is interesting to consider the IT security lessons that China's move holds for enterprises trying to control their own content and traffic, albeit for much different reasons.

More than anything the Chinese move is yet another indication that perimeters and client machines still matter. China's previous model was more or less endpoint agnostic - the idea being that if you were surfing stuff the government didn't approve of, this would be detected or blocked at the ISP level. China now seems to be less confident in that approach. The powers-that-be seem to have decided that even with 30,000 censors the best place to nip things in the bud is right at the user's machine.

Why the Endpoint Still Matters

It's not only in China and the world of Green Dam Youth Escorts that the endpoint still matters. In many enterprises, there are vigorous debates on the role of personal devices and the degree of access they may be granted to corporate networks.

In a theoretical de-perimeterized world, (as advocated by the Jericho Forum and others), the actual endpoint device is basically irrelevant. From a theoretical perspective this may make sense, but reality is much different. The end point still matters a lot for a few major reasons:

1. The Law. What physical machine you work on is often the legal distinction between stuff you own vs. stuff you don't own.

2. Standards and contracts. For better or worse, PCI clearly places much more emphasis on network and client side security versus other forms of security. A lot of RFP and contractual language has the same bias.

3. Forensics and Discovery. A company has a much easier time getting access to it's own computers than access to an employee's personal machine.

4. Management and Auditing. It is still way easier to manage a company device than do some clean-access check on a personal device. Especially for small and medium enterprises, NAC-type projects are often far too costly and complex.

Technical solutions will come up to address issues (3) and (4) above. But it is (1) and (2) - the legal and contractual world - that will keep the endpoint critical in the near term. While the future may be deperimeterized, this will require a tide shift in the clear network-centric language of most contracts, regulations, and standards today. It might happen fast when it does happen. But it hasn't happened quite yet.

In the meantime, the government of the world's largest IT user base is betting that the endpoint can deliver for its censorship and monitoring needs.